From 1866c26b1fee2a5fe32e0538b429c46edc22d936 Mon Sep 17 00:00:00 2001 From: Jonny Ervine Date: Sat, 9 Sep 2023 15:56:59 +0800 Subject: [PATCH] Add teleport values for home --- teleport-kube-agent/values-home.yaml | 453 +++++++++++++++++++++++++++ 1 file changed, 453 insertions(+) create mode 100644 teleport-kube-agent/values-home.yaml diff --git a/teleport-kube-agent/values-home.yaml b/teleport-kube-agent/values-home.yaml new file mode 100644 index 0000000..4e8dc6e --- /dev/null +++ b/teleport-kube-agent/values-home.yaml @@ -0,0 +1,453 @@ +################################################################ +# Values that must always be provided by the user. +################################################################ + +# Join token for the cluster. `joinParams` can also pass the join token, +# but supports more join methods and takes precedence if set. +authToken: "36ce3b30a201d5c3fecaa0d97d57cc80" + +# Address of the teleport proxy with port (usually :3080). +proxyAddr: "teleport.ipa.champion:443" +# Comma-separated list of roles to enable (any of: kube,db,app) +roles: "kube" + +################################################################ +# Values that must be provided if IAM or EC2 joining is enabled. +################################################################ + +# Specify how to join the Teleport cluster +joinParams: + # Supported join methods are "token", "ec2", "iam". + # method "token", is equivalent to using authToken to join a cluster + method: "token" + + # Leave empty only when method is "token" and the secret + # "teleport-kube-agent-join-token" has been created before and + # contains a valid join token. + tokenName: "" + +################################################################ +# Values that must be provided if Kubernetes access is enabled. +################################################################ + +# Name for this kubernetes cluster to be used by teleport users. +kubeClusterName: "homeCluster" + +################################################################ +# Values that must be provided if Application access is enabled. +################################################################ + +# At least one of 'apps', 'appResources' must be provided +# when application access is enabled. See the README for more details. + +# Details of at least one app to be proxied. Example: +# apps: +# - name: grafana +# uri: http://localhost:3000 +apps: [] + +# Dynamic application configuration mode. Example: +# appResources: +# - labels: +# "*": "*" +appResources: [] + +################################################################ +# Values that must be provided if Database access is enabled. +################################################################ + +# At least one of 'databases', 'awsDatabases', 'azureDatabases', or 'databaseResources' must be provided +# when database access is enabled. See the README for more details. + +# Database auto-discovery mode (AWS) +# Details of at least one awsDatabase discovery pattern to be discovered +# and proxied. Example: +# awsDatabases: +# - types: ["rds"] +# regions: ["us-east-1"] +# tags: +# "environment": "production" +awsDatabases: [] + +# Database auto-discovery mode (Azure) +# Details of at least one azureDatabase discovery pattern to be discovered +# and proxied. Example: +# azureDatabases: +# - types: ["mysql", "postgres"] +# tags: +# "environment": "production" +# regions: ["eastus", "centralus"] +# subscriptions: ["subID1", "subID2"] +# resource_groups: ["group1", "group2"] +# Note that regions, subscriptions, and resource_groups are optional, and by default +# the pattern for these selectors is ["*"] which will match all regions, subscriptions, or resource groups. +azureDatabases: [] + +# Manual database configuration mode +# Details of at least one database to be proxied. Example: +# databases: +# - name: aurora +# uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" +# protocol: "postgres" +# static_labels: +# env: "prod" +databases: [] + +# Dynamic database configuration mode. Example: +# databaseResources: +# - labels: +# "*": "*" +databaseResources: [] + +################################################################ +# Values that you may need to change. +################################################################ + +# Version of teleport image, if different from chart version in Chart.yaml. +# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. +# This chart is designed to run a specific teleport version (see Chart.yaml). +# You will face compatibility issues trying to run a different Teleport version with it. +# +# If you want to run Teleport version X, you should use `helm --version X` instead. +teleportVersionOverride: "" + +# Optional CA pins of the auth server. This enables a more secure way of +# adding new nodes to a cluster. See "Adding Nodes to the Cluster" +# (https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster). +# Each list element can be the pin itself (recommended), or a path to a file +# containing the pin. For the latter it is your responsibility to mount +# the file, using extraVolumes. +caPin: [] + +# When set to true, the agent will skip the verification of proxy TLS +# certificate. +insecureSkipProxyTLSVerify: false + +# Set enterprise to true to use enterprise image. +enterprise: false + +# teleportConfig contains additional teleport configuration +# The configuration will be merged with the chart-generated configuration +# and will take precedence in case of conflict +teleportConfig: {} + +# Settings for mounting your own TLS material in the agent pod. +# The agent does not expose a TLS server, so this is only used to trust CAs. +tls: + # Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. + # This is useful to trust private CAs. + # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. + # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem` + # The filename inside the secret is important - it _must_ be ca.pem + existingCASecretName: "" + +updater: + enabled: false + # `updater.versionServer` is the URL of the version server the agent fetches + # the target version from. The complete version endpoint is built by + # concatenating `versionServer` and `releaseChannel`. + versionServer: "https://updates.releases.teleport.dev/v1/" + # Release channel the agent subscribes to. + releaseChannel: "stable/cloud" + image: public.ecr.aws/gravitational/teleport-kube-agent-updater + serviceAccount: + # service account name defaults to "-updater" + name: "" + +# If set, will use an existing volume mounted via extraVolumes +# as the Teleport data directory. +# If anything is set under the "storage" key, this will be ignored. +existingDataVolume: "" + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher. +# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ +podSecurityPolicy: + enabled: true + +# Labels is a map of key values pairs about this cluster +labels: + teleport.internal/resource-id: badd4bc3-ca45-4456-b2f9-513ec8e8bcbc + +# Settings for high availability. +highAvailability: + # Set to >1 for a high availability mode where multiple Teleport agent pods will be deployed. + replicaCount: 1 + # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the + # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution. + # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement. + # This setting only has any effect when replicaCount is greater than 1. + requireAntiAffinity: false + # If enabled will create a Pod Disruption Budget + # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + +# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) +# This CRD is managed by the prometheus-operator and allows workload to +# get monitored. To use this value, you need to run a `prometheus-operator` +# in the cluster for this value to take effect. +# See https://prometheus-operator.dev/docs/prologue/introduction/ +podMonitor: + # Whether the chart should deploy a PodMonitor. + # Disabled by default as it requires the PodMonitor CRD to be installed. + enabled: false + # additionalLabels to put on the PodMonitor. + # This is used to be selected by a specific prometheus instance. + additionalLabels: {} + # interval is the interval between two metrics scrapes. Defaults to 30s + interval: 30s + +################################################################ +# Values that must be provided if using persistent storage for Teleport. +# +# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`. +# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV +# to survive restarts and rotations while using short-lived joining tokens. +# +# Fields: +# enabled: Set to true to enable the use of Persistent volumes. +# storageClassName: The name of the kubernetes storage class to use when creating volumes. See https://kubernetes.io/docs/concepts/storage/storage-classes/ +# requests: The size of the volume to request from the persistent storage system +################################################################ +storage: + enabled: false + storageClassName: "" + requests: 128Mi + +# Settings for configuring an cluster admin role binding. +# This is useful for granting cluster admin permissions to a Kubernetes Group +# other than the default "system:masters" group. +# GKE Autopilot clusters forbid using the "system:masters" group for impersonation +# and require a custom group to be used instead. +adminClusterRoleBinding: + create: false + name: "cluster-admin" + +################################################################ +# Values that you shouldn't need to change. +################################################################ + +# Container image for the cluster. +# Since version 13, hardened distroless images are used by default. +# You can use the deprecated debian-based images by setting the value to +# `public.ecr.aws/gravitational/teleport`. Those images will be +# removed with teleport 14. +image: public.ecr.aws/gravitational/teleport-distroless +# Enterprise version of the image +# Since version 13, hardened distroless images are used by default. +# You can use the deprecated debian-based images by setting the value to +# `public.ecr.aws/gravitational/teleport-ent`. Those images will be +# removed with teleport 14. +enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless +# Optional array of imagePullSecrets, to use when pulling from a private registry +imagePullSecrets: [] +# - name: myRegistryKeySecretName +# Number of replicas for the agent deployment. +# DEPRECATED Use highAvailability:replicaCount instead +# replicaCount: 1 +# (optional) Override the name of the ClusterRole used by the agent's service account. +clusterRoleName: "" +# (optional) Override the name of the ClusterRoleBinding used by the agent's service account. +clusterRoleBindingName: "" +# (optional) Override the name of the Role used by the agent's service account for Secret access. +roleName: "" +# (optional) Override the name of the RoleBinding used by the agent's service account. +roleBindingName: "" +# (optional) Override the name of the service account used by the agent. +# DEPRECATED Use serviceAccount:name instead +serviceAccountName: "" +# (optional) Kubernetes service account to create/use. +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and serviceAccount.create is true, the name is generated using the release name. + # If create is false, the name will be used to reference an existing service account. + name: "" + +# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. +rbac: + # Specifies whether a ClusterRole and ClusterRoleBinding should be created. + # Set to false if your cluster level resources are managed separately. + create: true + +# Name of the Secret to store the teleport join token. +# DEPRECATED Use joinTokenSecret.name instead +secretName: "" + +# Manages the join token secret creation and its name. +joinTokenSecret: + # create controls whether the Helm chart should create and manage the join token + # secret. + # If false, the chart assumes that the secret with the configured name already exists at the + # installation namespace. + create: true + # Name of the Secret to store the teleport join token. + name: teleport-kube-agent-join-token + +# Teleport logging configuration +log: + # Log level for the Teleport process. + # Available log levels are: DEBUG, INFO, WARNING, ERROR. + # The default is INFO, which is recommended in production. + # DEBUG is useful during first-time setup or to see more detailed logs for debugging. + level: INFO + # Log output + # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log' + # Other supported values: 'stdout', 'stderr' and 'syslog' + output: stderr + # Log format configuration + # Possible output values are 'json' and 'text' (default). + format: text + # Possible extra_fields values include: timestamp, component, caller, and level. + # All extra fields are included by default. + extraFields: ["timestamp", "level", "component", "caller"] + +################################## +# Extra Kubernetes configuration # +################################## + +# Affinity for pod assignment +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} + +# Pod's DNS Configuration +# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs. +dnsConfig: {} +# nameservers: +# - 1.2.3.4 +# searches: +# - ns1.svc.cluster-domain.example +# - my.dns.search.suffix +# options: +# - name: ndots +# value: "2" + +# Pod's DNS Policy +# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" + +# nodeSelector to apply for pod assignment +# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +nodeSelector: {} + +# Kubernetes labels to apply +# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +extraLabels: + # Labels for the Cluster Role + clusterRole: {} + # Labels for the Cluster Role Binding + clusterRoleBinding: {} + # Labels for the Role + role: {} + # Labels for the Role Binding + roleBinding: {} + # Labels for the ConfigMap + config: {} + # Labels for the Deployment/StatefulSet + deployment: {} + # Labels for each Pod in the Deployment/StatefulSet + pod: {} + # Labels for the Pod Disruption Budget (ignored when disabled) + podDisruptionBudget: {} + # Labels for the Pod Security Policy (ignored when disabled) + podSecurityPolicy: {} + # Labels for the Secret (ignored when disabled) + secret: {} + # Labels for the ServiceAccount object + serviceAccount: {} + +# Kubernetes annotations to apply +# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +annotations: + # Annotations for the ConfigMap + config: {} + # Annotations for the Deployment + deployment: {} + # Annotations for each Pod in the Deployment + pod: {} + # Annotations for the Secret (has no effect when `joinTokenSecret.create` is false) + secret: {} + # Annotations for the ServiceAccount object + serviceAccount: {} + +# Extra arguments to pass to 'teleport start' for the main Teleport pod +extraArgs: [] + +# Extra environment to be configured on the Teleport pod +extraEnv: [] + +# Extra volumes to mount into the Teleport pods +# https://kubernetes.io/docs/concepts/storage/volumes/ +extraVolumes: [] +# - name: myvolume +# secret: +# secretName: testSecret + +# Extra volume mounts corresponding to the volumes mounted above +extraVolumeMounts: [] +# - name: myvolume +# mountPath: /path/on/host + +# Pod Host aliases (see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) +hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" + +# Allow the imagePullPolicy to be overridden +imagePullPolicy: IfNotPresent + +# A list of initContainers to run before each Teleport pod starts +# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +initContainers: [] +# - name: "teleport-init" +# image: "alpine" +# args: ["echo test"] + +# Resources to request for each pod in the deployment +# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +resources: {} +# requests: +# cpu: "1" +# memory: "2Gi" + +# Security context to add to the initContainer +initSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + +# Security context to add to other containers +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + +# Priority class name to add to the deployment +priorityClassName: "" + +# Tolerations for pod assignment +# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Timeouts for the readiness and liveness probes +# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +probeTimeoutSeconds: 1